Requirement: Cyberspace Operations Specialized Computer Forensics Support
Location: Mons, BELGIUM
Full Time On-Site: Yes
Time On-Site: 100%
Not to Exceed: 2026 BASE: NTE 112,230 EUR
2027 OPTION: NTE 43,000 EUR
Period of Performance: 2026 BASE: 02 JUN 2026 to 31 DEC 2026
2027 OPTION: 1 JAN 2027 to 30 MAY 2027
Required Security Clearance: NATO COSMIC TOP SECRET
Please do NOT apply for any NATO contract positions unless you meet ALL the following criteria:
- Current National or NATO SECRET clearance
- Nationality of one of the NATO member countries
- Current work visa for the specific location if applying for an in-country position
Background:
The NCI Agency has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.
Introduction:
The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. In the NCSC's role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM), the centre executes a portfolio of programmes and projects around 219 MEUR euros per year, in order to uplift and enhance critical cyber security services.
The Portfolio ranges from Programme of Work (POW) activities funded via the NATO Military Budget (MB) to Critical / Urgent Requirements (CURs/URs) and NATO Security Investment Programme (NSIP) projects funded via the Investment Budget (IB). In some edge cases, projects are also funded via the Civilian Budget (CB). Projects can span multiple years and are governed by various frameworks, including the Common Funded Capability Development Governance Framework (CFCDGM).
In order to execute this work, the NCI Agency requires support with the work undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security, cyber defence and cyberspace operations. This Statement of Work (SoW) specifies the required skillset and experience.
Purpose:
The NCSC is responsible to defend NATO networks on a 24/7 basis and as part of its cyber defence activities performs digital forensics analysis in case of suspicion or confirmed malicious activities. The Cyber Defence Analysis activities encompass digital forensics activities allowing to get understanding what has really happened during a cyber incident, or in case of suspicion of an incident, to confirm if the incident really happened.
The Specialized Computer Forensics (SCF) environment is a dedicated environment for forensics activities. Due to lack of clear ownership, it has fell in a state of inadequacy for the delivery of the service. The NCSC Cyber Security Analysis Service (SEC004) service is looking for help from the industry to bring it back in a good state.
The hardware is a mix of physical acquisition devices such as Atola, PC3000, Network Attached Storage (NAS) devices, powerful workstations and servers, but also various disks, cables, converters, write blockers, patch panels, switches and other accessories. The environment is replicated, although not in exactly the same way, on 2 different levels of classification. The work encompasses both environments. In total there are not more than 30 workstations and not more than 20 servers (both physical and virtual). The user base consists of less than 30 users (analysts and administrators).
Objectives:
This Statement of Work (SoW) outlines the services to be provided by the Supplier to NCSC for providing support to Cyber Security Analysis Service (SEC004).
Coordination and Reporting:
At the end of each deliverable, the R1 deliverable report (see Annex A) will be provided for validation by the SEC004 Service Delivery Manager. The report shall contain the dates of delivery according to the schedule defined for each deliverable (see Section 5 - Deliverables).
The report will be prefilled by the service provider and includes as supporting documentation the list of deliverables produced including, where applicable, the links to the documentation portal and/or change management tool.
Requirements
Skills:
Services under the current SOW are to be delivered by one or multiple resources that must meet the following experience, qualities and qualifications:
- Demonstrable minimum 3 years of experience as system administrator
- Good knowledge of the OSI layers and protocols such as TCP/IP, 802.1x, VLANs
- Knowledge of digital forensics principles such as chain of custody and forensically sound acquisition processes
- Knowledge of tools such as Microsoft Office (Word, Excel, Power Point and Visio)
- Knowledge of ITILv4 processes and change management principles
- Demonstrable 2 years of experience with Atlassian Confluence
- Demonstrable 2 years of experience with draw.io or similar network diagram tools
- Demonstrable 3 years of experience of advising companies with digital forensics processes
- At least 1 relevant certification pertaining to digital forensics: CISSP, MCFE, SANS GIAC, or equivalent
- Good English writing and speaking skills (NATO STANAG 3333)
- Soft skills: Accuracy and Attention to Details (Precision), Patience and Persistence, Methodical Organization, Time Management and Prioritization, Effective Communication.
Security and Non-Disclosure Agreement:
Any resource providing services under this SOW must be in possession of a security clearance NATO COSMIC TOP SECRET. The signature of a Non-Disclosure Agreement between any Service Provider's individuals contributing to this task and NCIA will be required prior to execution.
